Other Countries Talk Tough on Data Privacy, but Enforcement Is Weak

In Areas Recovering From Government Abuse, Data Privacy Is Considered a Right

With so many eyes trained on the National Security Administration's PRISM program, it's easy to forget that data collection and use, and privacy rules that govern it, exist across the globe -- not just in the U.S. and Europe. In Latin America, India, Africa, Australia, Canada and elsewhere, the privacy rules tend to be more strict than here in the U.S. But, insiders point to one significant differentiator: enforcement is stronger in the U.S.

Following the footpaths of other Latin American countries including Mexico, Chile and Brazil are exploring new privacy rules, said Matthew DelNero, a partner at Covington and Burling, who spoke earlier this month at the Privacy Identity Innovation conference in Seattle.

"I sort of look at it as E.U. plus," he said, suggesting that the laws being established throughout Latin America tend to be inspired by the European Union's 1995 Data Protection Directive, which spells out requirements for handling personal data.

Spooked by the NSA's PRISM program, Brazil's President Dilma Rousseff wants to pass a law requiring foreign companies that gather data from within Brazil to store that information in Brazil.

The concept of privacy in much of Latin America, said Mr. DelNero, is influenced by the history of communism and facsism there. Rather than centering on corporate use of consumer data, it sometimes stems from the desire to correct government records that label individuals incorrectly as spies, for example.

That cultural history has an impact on corporate data legislation, he said, noting that data privacy is considered a fundamental human right in Latin America.

People in India, where the call-center industry creates lots of consumer data, also have privacy on the radar more than ever, said Amrita Srivastava, partner at Desh International Law, during the conference. Indians are becoming more aware of online privacy and data monetization, she said. The country incorporated data privacy rules in its Information Technology Amendment of 2008.

As in Latin America, culture affects attitudes towards personal privacy, said Ms. Srivastava. "Your expectation of privacy is generally nil," because the large population lives in very tight quarters, she said. "That's why it's taken this long to think about and bring about any privacy laws" in India.

There is still work to be done, she continued. "The Indian outsourcing industry needs to instill a sense of confidence...in how it respects U.S. and E.U. data," to show E.U. and U.S. companies that their data is safe with Indian firms, she said.

When maneuvering differing global privacy rules, "We have to figure out what's the highest bar we have to uphold" in terms of privacy and data transfer, said Dona Fraser, VP of Privacy Certified at the Entertainment Software Rating Board, where she works with game and app developers in Africa, Australia, Canada and elsewhere on privacy compliance. "It can actually impact your rollout dates for an app," she said.

As in the U.S., some countries are tacking on rules for mobile privacy. In India, where mobile SMS spam is "incessant," noted Ms. Srivastava, there is a mobile privacy law. However, she said, "We still have to see enforcement with that."

Indeed, enforcement is a hurdle outside the U.S. despite the array of laws, agreed the privacy lawyers. U.S. enforcement is driven by the Federal Trade Commission, which has brought 32 legal actions against organizations in violation of consumer privacy rights, according to the FTC site.

"I think it is true that the U.S. enforces more than everyone else," said Mr. DelNero.